-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create policy for a container_device_t #178
Conversation
Replaces: #177 |
@mregmi lets work together on this one. Could you try this policy out on your system and tell me what AVCs are created? |
Thank you. i will test it out today. |
Hi Dan, i am seeing error related to connectto.
audit2allow suggests the following |
That means that kubernetes is not running with the correct label. Can you run restorecon on the kublet and see if it gets relabeled to kublet_exec_t, and then restart it and make sure it is running as kublet_t. That would change the access to container_device_t connectto kublet_t which should be allowed. |
yes it was not running with new label. restorecon worked. Thank you. There are a also couple of things we need for this. Also one of the plugin we are releasing later this year also needs access to sysfs (files in /sys) which have sysfs_t. the container_device_t would also need access to this. Do we want to add this while we are doing this? lastly the workloads using these plugins will just need access to /dev (wont need connectto and other things). One way they can work is using the setsebool. do you think it would be better to have a workload specific label with just access to /dev/? |
Can you write this up in a table. When you say access to sysfs_t, are you talking read or write? Also are you mounting in /sys from the host into the container? /sys is usually namespaced. Are you saying only the init container needs to talk to kublet? And not the general continer? Could we just run with |
So there are 3 types of the containers for device plugins:
Thanks. |
On 4/25/22 16:27, Manish Regmi wrote:
So there are 3 types of the containers for device plugins:
1.
The device plugins (the container_device_t in current patch):
container_device_t = container_t + r/w /dev (device_t) + r/w
kubelet socket + r/w some parts of /sys (sysfs_t)
Like /dev, /sys is also volume mounted from host
Need a new type for this?
container_device_manager_t?
container_device_kube_t?
contaner_device_???_t?
1.
2.
init container
container_device_init_t = container_t + kubernetes_file_t (because
it needs access to /etc/kubernetes/node-feature-discovery )
container_device_init_t is good.
Is this just read or read/write?
1.
2.
the third one is the normal containers with end users application.
in most cases they just need /dev/ file access.
container_t + access to /dev (device_t)
This should be container_device_t
Is this just getattr of /dev/*?
… 1.
Thanks.
—
Reply to this email directly, view it on GitHub
<#178 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAPIPQ7QRX3P42BBJYDJOQ3VG354DANCNFSM5UCMQ4HQ>.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Yes lets go with these:
The workload (3) will need both read and write to device_t. |
How does this look? container_domain_template(container_device) container_domain_template(container_device_plugin) container_domain_template(container_device_plugin_init) |
834cadd
to
b849706
Compare
one small comment. container_device_plugin_t will also need rw access to /sys so a rule allowing to sysfs_t might be needed. |
container.fc
Outdated
/usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) | ||
/usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) | ||
/usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) | ||
/usr/s?bin/kubelet.* -- gen_context(system_u:object_r:kublet_exec_t,s0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this be kubelet_exec_t
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixing.
with some devices, the |
@rhatdan I also saw this error when testing the latest policy. type=AVC msg=audit(1651188022.040:40076): avc: denied { read write } for pid=1185191 comm="cp" name="intel-sgx-epchook" dev="sda4" ino=614477480 scontext=system_u:system_r:container_device_plugin_init_t:s0:c178,c513 tcontext=system_u:object_r:container_file_t:s0:c351,c450 tclass=file permissive=1 type=AVC msg=audit(1651188022.058:40077): avc: denied { setattr } for pid=1185191 comm="cp" name="intel-sgx-epchook" dev="sda4" ino=614477480 scontext=system_u:system_r:container_device_plugin_init_t:s0:c178,c513 tcontext=system_u:object_r:container_file_t:s0:c351,c450 tclass=file permissive=1 audit2allow gives this warning.
|
This means that you ran a container with one label which created content and then attempted to read/write the content from a different. If the content needs to be shared between multiple containers running in different Pods. then the container_file_t content has to be labeled as s0, not with a private label for the container. |
Added, does it need to set sysctls as well or just this one field. |
I think this line dev_rw_sysfs((container_device_plugin_t) I will debug the above container_file_t issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
after a quick fix related to the things i commented. the labels works for the plugins. i think we can merge after fixing those small issues.
container.te
Outdated
# communicate with kublet | ||
container_domain_template(container_device_plugin) | ||
allow container_device_plugin_t device_node:chr_file rw_chr_file_perms; | ||
dev_rw_sysfs((container_device_plugin_t) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there is a typo. should be dev_rw_sysfs(container_device_plugin_t)
container.te
Outdated
# modify kublet configuration | ||
container_domain_template(container_device_plugin_init) | ||
allow container_device_plugin_init_t device_node:chr_file rw_chr_file_perms; | ||
dev_rw_sysfs((container_device_plugin_t) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be dev_rw_sysfs(container_device_plugin_init_t)
container.te
Outdated
') | ||
|
||
|
||
type kublet_exec_t; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in container.fc, it was changed to kubelet_exec_t. so these needs to be changed too. i saw module load error without this change.
@rhatdan only one comment at dev_rw_sysfs lines. second one should be dev_rw_sysfs(container_device_plugin_init_t). |
The latest push does not seem to have any change. |
Also create policy for container_device_plugin_t and container_device_plugin_init_t. This policy can be used for kubernetes/container plugins which add devices to containers. Signed-off-by: Daniel J Walsh <[email protected]>
LGTM. Thank you @rhatdan for helping out with this issue. |
The `container_device_plugin_t` label type, allows communication with `kubelet_t` context: containers/container-selinux#178. The PodResourceAPI socket is an object created by Kubelet so it inherents the same process context, i.e. `kubelet_t`. Signed-off-by: Talor Itzhak <[email protected]>
The `container_device_plugin_t` label type, allows communication with `kubelet_t` context: containers/container-selinux#178. The PodResourceAPI socket is an object created by Kubelet so it inherents the same process context, i.e. `kubelet_t`. Signed-off-by: Talor Itzhak <[email protected]>
The `container_device_plugin_t` label type, allows communication with `kubelet_t` context: containers/container-selinux#178. The PodResourceAPI socket is an object created by Kubelet so it inherents the same process context, i.e. `kubelet_t`. We gradually want to depracate the custom SELinux context and use this one instead. Signed-off-by: Talor Itzhak <[email protected]>
The `container_device_plugin_t` label type, allows communication with `kubelet_t` context: containers/container-selinux#178. The PodResourceAPI socket is an object created by Kubelet so it inherents the same process context, i.e. `kubelet_t`. We gradually want to depracate the custom SELinux context and use this one instead. Signed-off-by: Talor Itzhak <[email protected]>
The `container_device_plugin_t` label type, allows communication with `kubelet_t` context: containers/container-selinux#178. The PodResourceAPI socket is an object created by Kubelet so it inherents the same process context, i.e. `kubelet_t`. We gradually want to depracate the custom SELinux context and use this one instead. Signed-off-by: Talor Itzhak <[email protected]>
The `container_device_plugin_t` label type, allows communication with `kubelet_t` context: containers/container-selinux#178. The PodResourceAPI socket is an object created by Kubelet so it inherents the same process context, i.e. `kubelet_t`. We gradually want to depracate the custom SELinux context and use this one instead. Signed-off-by: Talor Itzhak <[email protected]> (cherry picked from commit 170037a)
This policy can be used for kubernetes/container plugins which add
devices to containers.
Signed-off-by: Daniel J Walsh [email protected]